As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories—Shimrit Tzur-David, the CSO and Co-Founder at Secret Double Octopus, shares some expert insights on selecting the best type of passwordless system for your company’s needs.
In passwordless authentication, not all security methods are created equal. It’s important to distinguish between the two popular variants in Multi-Factor Authentication (MFA) systems: a “passwordless experience” versus a “fully passwordless” authentication process.
Understanding these admittedly confusing terms and their differences is vital when choosing the level of security risk you are willing to live with. This is all the more pressing when you consider that hackers are targeting companies more than ever in our current remote-work environment. Phishing attempts and ransomware attacks ultimately lead to data breaches. The Verizon Annual Data Breach Report consistently reports that compromised passwords are responsible for roughly 60% to 80% of data breaches (depending on the year).
The two passwordless variations have pros and cons, and companies tend to run into similar issues as they evaluate and choose between the different systems. So how do you decide which passwordless architecture is right for your business?
Undeniable Benefits
Most of the current passwordless authentication methods are powered by private-key cryptography (usually a long string of numbers and letters stored in a file) and biometrics (fingerprints, retina scans, etc.), thus removing the need for actual passwords. A helpful way to think of this is that these systems rely on what you have (private-key cryptography) or what you are (biometric measurements) instead of what you remember (traditional passwords).
These processes make a business’s network far more secure and save on costs by minimizing employee downtime and reducing the time spent by IT help desks helping employees regain access to computer systems. That said, some “passwordless” authentication systems don’t really merit the moniker.
The “Passwordless Experience”
“Passwordless experience” systems provide some of the user experience (UX) benefits of a password-free system. However, they still require users to remember passwords at some point in the resource or service interaction lifecycle. They generally depend on a centrally stored password, so the possibility of a breach still exists. So calling these systems “passwordless” is a bit of a misnomer.
Passwordless-experience systems primarily store passwords in the system’s background, away from view. However, the password is still technically present and is necessary to authenticate individual logins, most notably a hard reboot on a desktop computer. So, the passwordless experience is primarily passwordless, but it doesn’t make your business completely secure. End-users may still need to write down their passwords to remember them or keep them in a file on their computers, and the passwords will likely be stored centrally in a user directory.
Examples of passwordless-experience systems include the hardware-bound biometrics used by Microsoft in Windows Hello for Business and Apple’s TouchID. These conveniences don’t regularly require typing in a password, but a user must create one and remember it from time to time.
Full Passwordless
The fully passwordless approach frees the end-user from having to come up with or remember a password at all. So there’s no risk of losing, forgetting, or accidentally sharing passwords. That’s the true promise of passwordless: the higher security makes typical security breaches impossible.
Complete passwordless systems are more secure than passwordless-experience systems and standard MFA systems because there is no threat of a password falling into the wrong hands. To many, that’s the Holy Grail of passwordless authentication.
It’s worth mentioning that “full passwordless” refers only to the goal of achieving authentication cases without the end-user ever having to remember a password. Biometrics are a popular option, as they only require a fingerprint or facial scan of the user, meaning there is nothing for them to forget. It also allows for a quicker and more efficient user experience, as those logging in can quickly swipe their finger across the screen or look into a camera.
Private-key cryptography is another popular complete passwordless method that lets users log into a given system with a private key present on their mobile device. A pre-established authentication method through the platform will then ask the user to prove that they have possession of the private key by presenting a matching public key connected to their account.
So which is system is better? The choice is ultimately up to you, but hands down, for the genuinely security-minded, full passwordless wins. Though it may require additional resources or expenditures to enable some passwordless solutions, such as biometrics, your organization’s added protection is worth the extra effort. About 90% of the time, end-users won’t be able to tell the difference.
Ultimately, the answer will depend on your organization and its needs. A passwordless experience and a complete passwordless system will improve security and ease of use, but the latter will allow you to ditch unreliable passwords.
Widget not in any sidebars
Shimrit Tzur-David
Shimrit Tzur-David is the chief technology officer and co-founder of Secret Double Octopus, the world's only keyless multi-shield authentication technology protecting identity and data across cloud, mobile, and IoT environments. Shimrit has over 10 years of research experience in computer networks, network security and cryptography, network anomaly detection for zero-day attacks, fast pattern matching for deep packet inspection, PKI and secured channels: algorithms, hardware-based architectures. Shimrit holds an MSc. in computer science and a Ph.D. in computer science, both from the Hebrew University.
